Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How we can get out of the DNS DDoS trap

David Holmes, technical marketing manager, F5 Networks | June 10, 2013
A new class of enormous DDoS attacks emerged March 26 with a DNS reflection attack by email spammer CyberBunker against anti-spam service Spamhaus. The reported traffic peak of 300Gbps was double the previous record.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

A new class of enormous DDoS attacks emerged March 26 with a DNS reflection attack by email spammer CyberBunker against anti-spam service Spamhaus. The reported traffic peak of 300Gbps was double the previous record.

Experts say these enormous volumetric attacks will gain in popularity due to the fact they leverage existing Internet DNS servers, meaning there is no need to recruit one's own botnet or even rent one. These types of attacks are called reflection (and sometimes amplification) attacks because a relatively few, small requests directed at a DNS server result in a significantly higher amount of response traffic that is forwarded towards the victim.

The good news is this type of systemic problem has been faced before, and to some extent, fixed. Remember when email spam was the majority of Internet traffic? DNS reflection attacks are a similar problem, though, thank goodness, there isn't the same insane direct profit motive that drove email spam.

What enables DNS reflection attacks is the continued tolerance of open DNS resolvers on the Internet. A DNS server is considered to be an "open" resolver if it will accept and forward name queries for domains that it does not serve. These open resolvers can then be used in this way to generate the traffic load against the victim. Typically a resolver does not need be open -- it is usually just misconfiguration that causes this and the owner/operation doesn't even know it is happening. The Open Resolver Project lists 25 million of these servers. If they were considered a botnet, it would be among the largest and most powerful botnets ever created.

Another aspect that enforces the status quo and enables DNS reflection attacks is the devotion to the minimization of latency. Everyone wants the Internet to be fast (who wouldn't?), and a responsive DNS system is seen as key. The very, very large DNS systems deployed by carriers can and do regularly respond to millions of queries per second. Single-packet requests and responses via UDP are used to achieve this scale. But the stateless nature of UDP means that it does not provide identity and is effectively "untraceable" -- attackers can very easily spoof UDP packets and the DNS servers have no way to tell that this has been done and that by responding they may be unwittingly attacking an innocent victim.

So, is there a way out of this DNS DDoS trap?

A smarter DNS infrastructure is the answer; a smarter infrastructure that is mindful about not just its positive impact but also its destructive ability. Enterprises, vendors and services can work together to bring the DNS infrastructure to this higher plane of intelligence.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.